Critical severity9.1NVD Advisory· Published Apr 9, 2026· Updated Apr 22, 2026
CVE-2026-34177
CVE-2026-34177
Description
Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/canonical/lxdGo | >= 0.0.0-20210305023314-538ac3df036e, <= 0.0.0-20260226085519-736f34afb267 | — |
Affected products
2- ghsa-coordsRange: >= 0.0.0-20210305023314-538ac3df036e, <= 0.0.0-20260226085519-736f34afb267
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-fm2x-c5qw-4h6fghsaADVISORY
- github.com/canonical/lxd/security/advisories/GHSA-fm2x-c5qw-4h6fnvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-34177ghsaADVISORY
- github.com/canonical/lxd/pull/17909nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.